Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report whitesee.exe

Overview

General Information

Sample Name:whitesee.exe
Analysis ID:291640
MD5:0cfa4f3ed5b5440603745b65304f97a6
SHA1:0d80868f8da476e3a6e7e0181be643b85403bc78
SHA256:78a253ee0430aeb4feb92eb0641433d908a8c2c29b0d5919dbb4fa556dec3e46
Tags:exe

Most interesting Screenshot:

Detection

Azorult GuLoader Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected Azorult
Yara detected GuLoader
Yara detected Lokibot
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • whitesee.exe (PID: 2788 cmdline: 'C:\Users\user\Desktop\whitesee.exe' MD5: 0CFA4F3ED5B5440603745B65304F97A6)
    • whitesee.exe (PID: 2396 cmdline: 'C:\Users\user\Desktop\whitesee.exe' MD5: 0CFA4F3ED5B5440603745B65304F97A6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.277281514.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000001.00000003.272299325.000000001E968000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
      00000001.00000003.277143523.000000001E060000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
        00000001.00000003.269984627.000000001E95C000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
          00000001.00000003.272222097.000000001E968000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
            Click to see the 10 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: whitesee.exeAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: whitesee.exeVirustotal: Detection: 17%Perma Link
            Source: whitesee.exeReversingLabs: Detection: 27%
            Source: 1.0.whitesee.exe.400000.0.unpackAvira: Label: TR/Injector.isdrr
            Source: 0.0.whitesee.exe.400000.0.unpackAvira: Label: TR/Injector.isdrr
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: whitesee.exe, 00000001.00000003.266621743.00000000009D4000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACer
            Source: whitesee.exe, 00000001.00000002.277685320.0000000000A19000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: whitesee.exe, 00000001.00000003.268159009.00000000009EF000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: whitesee.exe, 00000001.00000003.266621743.00000000009D4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: whitesee.exe, 00000001.00000002.277685320.0000000000A19000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
            Source: whitesee.exe, 00000001.00000002.277685320.0000000000A19000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: whitesee.exe, 00000001.00000003.266621743.00000000009D4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0N
            Source: whitesee.exe, 00000001.00000003.266621743.00000000009D4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: whitesee.exe, 00000001.00000002.277685320.0000000000A19000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sectigo.com0)
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.thawte.com0
            Source: whitesee.exe, 00000001.00000003.267935620.00000000009F7000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: mozglue.dll.1.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://www.mozilla.com0
            Source: whitesee.exe, 00000001.00000003.277129860.000000001E950000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.c
            Source: whitesee.exe, 00000001.00000003.267935620.00000000009F7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: whitesee.exe, 00000001.00000003.267935620.00000000009F7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp;b
            Source: whitesee.exe, 00000001.00000003.277129860.000000001E950000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iP
            Source: whitesee.exe, 00000001.00000002.277579718.0000000000971000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
            Source: whitesee.exe, 00000001.00000002.277579718.0000000000971000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp%wL
            Source: whitesee.exe, 00000001.00000003.277129860.000000001E950000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-chx
            Source: whitesee.exe, 00000001.00000003.277129860.000000001E950000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-chx;http://www.msn.com/de-ch/
            Source: whitesee.exe, 00000001.00000003.268363493.0000000000A0E000.00000004.00000001.sdmp, 67227813536691329426550.tmp.1.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: whitesee.exe, 00000001.00000003.268363493.0000000000A0E000.00000004.00000001.sdmp, 67227813536691329426550.tmp.1.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: whitesee.exe, 00000001.00000003.268363493.0000000000A0E000.00000004.00000001.sdmp, 67227813536691329426550.tmp.1.drString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: 67227813536691329426550.tmp.1.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: whitesee.exe, 00000001.00000003.268363493.0000000000A0E000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabd
            Source: whitesee.exe, 00000001.00000003.268363493.0000000000A0E000.00000004.00000001.sdmp, 67227813536691329426550.tmp.1.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: whitesee.exe, 00000001.00000002.277579718.0000000000971000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/Q
            Source: whitesee.exe, 00000001.00000002.277579718.0000000000971000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/a
            Source: whitesee.exe, 00000001.00000002.277281514.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21225&authkey=ANo4F75
            Source: whitesee.exe, 00000001.00000003.268363493.0000000000A0E000.00000004.00000001.sdmp, 67227813536691329426550.tmp.1.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
            Source: whitesee.exe, 00000001.00000003.268363493.0000000000A0E000.00000004.00000001.sdmp, 67227813536691329426550.tmp.1.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: whitesee.exe, 00000001.00000002.277685320.0000000000A19000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: whitesee.exe, 00000001.00000002.277579718.0000000000971000.00000004.00000020.sdmpString found in binary or memory: https://ss0idq.bl.files.1drv.com/
            Source: whitesee.exe, 00000001.00000002.277611176.00000000009A6000.00000004.00000020.sdmpString found in binary or memory: https://ss0idq.bl.files.1drv.com/y4mQN2g4GgaGX8ZGUXNqQ9hde_O6JGjOsty8WqfLMPhATLhO20zWV-XHuQgnqXqMGZf
            Source: whitesee.exe, 00000001.00000002.277579718.0000000000971000.00000004.00000020.sdmpString found in binary or memory: https://techvita.biz/
            Source: whitesee.exe, 00000001.00000003.266245528.00000000009A6000.00000004.00000001.sdmpString found in binary or memory: https://techvita.biz/7
            Source: whitesee.exe, 00000001.00000003.266233315.000000000098C000.00000004.00000001.sdmp, whitesee.exe, 00000001.00000003.277143523.000000001E060000.00000004.00000001.sdmp, whitesee.exe, 00000001.00000002.277644333.00000000009D4000.00000004.00000020.sdmpString found in binary or memory: https://techvita.biz/PL341/index.php
            Source: whitesee.exe, 00000001.00000002.277644333.00000000009D4000.00000004.00000020.sdmpString found in binary or memory: https://techvita.biz/PL341/index.php;Ow
            Source: whitesee.exe, 00000001.00000002.277611176.00000000009A6000.00000004.00000020.sdmpString found in binary or memory: https://techvita.biz/PL341/index.phpNCYCDFIJJ.xlsx
            Source: whitesee.exe, 00000001.00000002.277579718.0000000000971000.00000004.00000020.sdmpString found in binary or memory: https://techvita.biz/l
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: whitesee.exe, 00000001.00000003.267935620.00000000009F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
            Source: whitesee.exe, 00000001.00000003.267935620.00000000009F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/Ob
            Source: whitesee.exe, 00000001.00000003.268159009.00000000009EF000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.pgg
            Source: whitesee.exe, 00000001.00000003.267935620.00000000009F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: whitesee.exe, 00000001.00000003.267935620.00000000009F7000.00000004.00000001.sdmp, whitesee.exe, 00000001.00000002.277611176.00000000009A6000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
            Source: whitesee.exe, 00000001.00000003.268363493.0000000000A0E000.00000004.00000001.sdmp, 67227813536691329426550.tmp.1.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02191F20 NtSetInformationThread,TerminateProcess,0_2_02191F20
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02190242 EnumWindows,NtSetInformationThread,TerminateProcess,0_2_02190242
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02191679 NtWriteVirtualMemory,0_2_02191679
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02193498 NtSetInformationThread,TerminateProcess,0_2_02193498
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02193B9F NtResumeThread,0_2_02193B9F
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_021937FE NtProtectVirtualMemory,0_2_021937FE
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02191716 NtWriteVirtualMemory,0_2_02191716
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02193C0D NtResumeThread,0_2_02193C0D
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02193C5E NtResumeThread,0_2_02193C5E
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_0219187D NtWriteVirtualMemory,0_2_0219187D
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02190285 NtSetInformationThread,TerminateProcess,0_2_02190285
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02193BA5 NtResumeThread,0_2_02193BA5
            Source: whitesee.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: whitesee.exe, 00000000.00000002.223384637.0000000000409000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGROSGRAINBRITIS.exe vs whitesee.exe
            Source: whitesee.exe, 00000000.00000002.223921366.0000000002910000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGROSGRAINBRITIS.exeFE2XNN9 vs whitesee.exe
            Source: whitesee.exe, 00000001.00000003.257476126.000000001ECB4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs whitesee.exe
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs whitesee.exe
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenssdbm3.dll0 vs whitesee.exe
            Source: whitesee.exe, 00000001.00000003.261114481.000000001E2B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs whitesee.exe
            Source: whitesee.exe, 00000001.00000003.260978377.000000001ECE4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesoftokn3.dll0 vs whitesee.exe
            Source: whitesee.exe, 00000001.00000002.287326264.000000001DC50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs whitesee.exe
            Source: whitesee.exe, 00000001.00000003.261725476.0000000000060000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs whitesee.exe
            Source: whitesee.exe, 00000001.00000003.259615178.000000001ED04000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs whitesee.exe
            Source: whitesee.exe, 00000001.00000003.260016352.000000001E064000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs whitesee.exe
            Source: whitesee.exe, 00000001.00000000.222588124.0000000000409000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGROSGRAINBRITIS.exe vs whitesee.exe
            Source: whitesee.exe, 00000001.00000002.287350023.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs whitesee.exe
            Source: whitesee.exe, 00000001.00000003.273555829.000000001EEA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefreebl3.dll0 vs whitesee.exe
            Source: whitesee.exeBinary or memory string: OriginalFilenameGROSGRAINBRITIS.exe vs whitesee.exe
            Source: C:\Users\user\Desktop\whitesee.exeSection loaded: crtdll.dllJump to behavior
            Source: classification engineClassification label: mal100.rans.phis.troj.spyw.evad.winEXE@3/53@5/1
            Source: C:\Users\user\Desktop\whitesee.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5F-9414907A-57CDE79F-9098792F-D9AC8D11
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\Jump to behavior
            Source: whitesee.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\whitesee.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: whitesee.exe, 00000001.00000003.260978377.000000001ECE4000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: whitesee.exe, 00000001.00000003.260978377.000000001ECE4000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
            Source: whitesee.exe, 00000001.00000003.260978377.000000001ECE4000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: whitesee.exe, 00000001.00000003.260978377.000000001ECE4000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
            Source: whitesee.exe, 00000001.00000003.260978377.000000001ECE4000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
            Source: whitesee.exe, 00000001.00000003.260978377.000000001ECE4000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
            Source: whitesee.exe, 00000001.00000003.260978377.000000001ECE4000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s;
            Source: whitesee.exe, 00000001.00000003.260978377.000000001ECE4000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
            Source: whitesee.exe, 00000001.00000003.260978377.000000001ECE4000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
            Source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: whitesee.exe, 00000001.00000003.260978377.000000001ECE4000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
            Source: whitesee.exeVirustotal: Detection: 17%
            Source: whitesee.exeReversingLabs: Detection: 27%
            Source: unknownProcess created: C:\Users\user\Desktop\whitesee.exe 'C:\Users\user\Desktop\whitesee.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\whitesee.exe 'C:\Users\user\Desktop\whitesee.exe'
            Source: C:\Users\user\Desktop\whitesee.exeProcess created: C:\Users\user\Desktop\whitesee.exe 'C:\Users\user\Desktop\whitesee.exe' Jump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
            Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.264093965.000000001F6C4000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.264426222.000000001F6D8000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: whitesee.exe, 00000001.00000003.259615178.000000001ED04000.00000004.00000001.sdmp, mozglue.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, nss3.dll.1.dr
            Source: Binary string: ucrtbase.pdb source: whitesee.exe, 00000001.00000003.261114481.000000001E2B0000.00000004.00000001.sdmp, ucrtbase.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: whitesee.exe, 00000001.00000003.261795051.000000001F62C000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.1.dr
            Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.261982426.000000001F654000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.261795051.000000001F62C000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: whitesee.exe, 00000001.00000003.273555829.000000001EEA0000.00000004.00000001.sdmp, freebl3.dll.1.dr
            Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.262521371.000000001F678000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.263922518.000000001F6AC000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.264903612.000000001F6F4000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.261958183.000000001F650000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.262521371.000000001F678000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.257868373.000000001ECAC000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.1.dr
            Source: Binary string: vcruntime140.i386.pdbGCTL source: whitesee.exe, 00000001.00000003.261725476.0000000000060000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
            Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.258050368.000000001ECB4000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: whitesee.exe, 00000001.00000003.259615178.000000001ED04000.00000004.00000001.sdmp, mozglue.dll.1.dr
            Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.257134119.000000001ECA8000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.262322263.000000001F674000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.272324790.000000001F2F0000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: whitesee.exe, 00000001.00000003.273555829.000000001EEA0000.00000004.00000001.sdmp, freebl3.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.261795051.000000001F62C000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.264426222.000000001F6D8000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.258008597.000000001ECAC000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: whitesee.exe, 00000001.00000003.260978377.000000001ECE4000.00000004.00000001.sdmp, softokn3.dll.1.dr
            Source: Binary string: msvcp140.i386.pdb source: whitesee.exe, 00000001.00000003.260016352.000000001E064000.00000004.00000001.sdmp, msvcp140.dll.1.dr
            Source: Binary string: ucrtbase.pdbUGP source: whitesee.exe, 00000001.00000003.261114481.000000001E2B0000.00000004.00000001.sdmp, ucrtbase.dll.1.dr
            Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.262521371.000000001F678000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.264903612.000000001F6F4000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, nssdbm3.dll.1.dr
            Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.257271252.000000001ECA8000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: whitesee.exe, 00000001.00000003.262521371.000000001F678000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.1.dr
            Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.257649667.000000001ECBC000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.261795051.000000001F62C000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.258008597.000000001ECAC000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: whitesee.exe, 00000001.00000003.261982426.000000001F654000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.264093965.000000001F6C4000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: whitesee.exe, 00000001.00000003.260978377.000000001ECE4000.00000004.00000001.sdmp, softokn3.dll.1.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: whitesee.exe, 00000001.00000003.262521371.000000001F678000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.1.dr
            Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.257567366.000000001ECB4000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
            Source: Binary string: vcruntime140.i386.pdb source: whitesee.exe, 00000001.00000003.261725476.0000000000060000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
            Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.258213850.000000001ECB8000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.264903612.000000001F6F4000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.262521371.000000001F678000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: whitesee.exe, 00000001.00000003.265434867.000000001EA50000.00000004.00000001.sdmp, nssdbm3.dll.1.dr
            Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.262521371.000000001F678000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.262521371.000000001F678000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.1.dr
            Source: Binary string: msvcp140.i386.pdbGCTL source: whitesee.exe, 00000001.00000003.260016352.000000001E064000.00000004.00000001.sdmp, msvcp140.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: whitesee.exe, 00000001.00000003.261795051.000000001F62C000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.264426222.000000001F6D8000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.257476126.000000001ECB4000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.261982426.000000001F654000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.263922518.000000001F6AC000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: whitesee.exe, 00000001.00000003.264903612.000000001F6F4000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.1.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000001.00000002.277281514.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: whitesee.exe PID: 2396, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: whitesee.exe PID: 2788, type: MEMORY
            Binary contains a suspicious time stampShow sources
            Source: initial sampleStatic PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: whitesee.exe PID: 2396, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: whitesee.exe PID: 2788, type: MEMORY
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_00402462 push E3BC59B6h; ret 0_2_00402467
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_00402F72 push 00000044h; ret 0_2_00402F7F
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_00404A7E push 6C5B888Dh; ret 0_2_00404A83
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\msvcp140.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\nss3.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\mozglue.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\ucrtbase.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\softokn3.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-console-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-file-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-util-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\freebl3.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\nssdbm3.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\vcruntime140.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-file-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-file-l2-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeFile created: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\whitesee.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: whitesee.exe, whitesee.exe, 00000001.00000002.277281514.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02191F20 rdtsc 0_2_02191F20
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-util-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\freebl3.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\nssdbm3.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-file-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\softokn3.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-console-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-file-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-file-l2-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\83235B7C\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\whitesee.exeRegistry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
            Source: C:\Users\user\Desktop\whitesee.exe TID: 256Thread sleep count: 159 > 30Jump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\whitesee.exeLast function: Thread delayed
            Source: whitesee.exe, 00000000.00000002.229468015.000000000460A000.00000004.00000001.sdmp, whitesee.exe, 00000001.00000002.277762934.000000000240A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: whitesee.exe, 00000000.00000002.229468015.000000000460A000.00000004.00000001.sdmp, whitesee.exe, 00000001.00000002.277762934.000000000240A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: whitesee.exe, 00000001.00000002.277762934.000000000240A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
            Source: whitesee.exe, 00000000.00000002.229468015.000000000460A000.00000004.00000001.sdmp, whitesee.exe, 00000001.00000002.277762934.000000000240A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: whitesee.exe, 00000001.00000002.277559266.0000000000947000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW@x
            Source: whitesee.exe, 00000000.00000002.229468015.000000000460A000.00000004.00000001.sdmp, whitesee.exe, 00000001.00000002.277762934.000000000240A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: whitesee.exe, 00000000.00000002.229468015.000000000460A000.00000004.00000001.sdmp, whitesee.exe, 00000001.00000002.277762934.000000000240A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: whitesee.exe, 00000001.00000002.277762934.000000000240A000.00000004.00000001.sdmpBinary or memory string: vmicvss
            Source: whitesee.exe, 00000001.00000003.266233315.000000000098C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: whitesee.exe, whitesee.exe, 00000001.00000002.277281514.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: whitesee.exe, 00000000.00000002.229468015.000000000460A000.00000004.00000001.sdmp, whitesee.exe, 00000001.00000002.277762934.000000000240A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: whitesee.exe, 00000000.00000002.229468015.000000000460A000.00000004.00000001.sdmp, whitesee.exe, 00000001.00000002.277762934.000000000240A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: whitesee.exe, 00000000.00000002.229468015.000000000460A000.00000004.00000001.sdmp, whitesee.exe, 00000001.00000002.277762934.000000000240A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: whitesee.exe, 00000001.00000002.277762934.000000000240A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02191F20 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000040,021902F2,00000000,00000000,000000000_2_02191F20
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\whitesee.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02191F20 rdtsc 0_2_02191F20
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02191E88 LdrInitializeThunk,0_2_02191E88
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02193498 mov eax, dword ptr fs:[00000030h]0_2_02193498
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_0219303A mov eax, dword ptr fs:[00000030h]0_2_0219303A
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02190E3D mov eax, dword ptr fs:[00000030h]0_2_02190E3D
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02191B33 mov eax, dword ptr fs:[00000030h]0_2_02191B33
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02191359 mov eax, dword ptr fs:[00000030h]0_2_02191359
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_02192D93 mov eax, dword ptr fs:[00000030h]0_2_02192D93
            Source: C:\Users\user\Desktop\whitesee.exeCode function: 0_2_021934B5 mov eax, dword ptr fs:[00000030h]0_2_021934B5
            Source: C:\Users\user\Desktop\whitesee.exeProcess created: C:\Users\user\Desktop\whitesee.exe 'C:\Users\user\Desktop\whitesee.exe' Jump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected AzorultShow sources
            Source: Yara matchFile source: 00000001.00000003.272299325.000000001E968000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.277143523.000000001E060000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.269984627.000000001E95C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.272222097.000000001E968000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.272206165.000000001E95C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: whitesee.exe PID: 2396, type: MEMORY
            Yara detected LokibotShow sources
            Source: Yara matchFile source: Process Memory Space: whitesee.exe PID: 2396, type: MEMORY
            Found many strings related to Crypto-Wallets (likely being stolen)Show sources
            Source: whitesee.exe, 00000001.00000002.277579718.0000000000971000.00000004.00000020.sdmpString found in binary or memory: \ElectrumGr
            Source: whitesee.exe, 00000001.00000002.277611176.00000000009A6000.00000004.00000020.sdmpString found in binary or memory: bC:\Users\user\AppData\Roaming\Electrum\wallets\\electrum.datistorytaWeb Datab Datas\Cookies\\*.txt*.cookie
            Source: whitesee.exe, 00000001.00000002.277579718.0000000000971000.00000004.00000020.sdmpString found in binary or memory: (\Jaxx\Local Storage\
            Source: whitesee.exe, 00000001.00000002.277579718.0000000000971000.00000004.00000020.sdmpString found in binary or memory: "%APPDATA%\Exodus\Qt9
            Source: whitesee.exe, 00000001.00000002.277579718.0000000000971000.00000004.00000020.sdmpString found in binary or memory: (\Jaxx\Local Storage\
            Source: whitesee.exe, 00000001.00000002.277611176.00000000009A6000.00000004.00000020.sdmpString found in binary or memory: techvita.biz443AppData\Roaming\Ethereum\keystore\\s\\t.dat
            Source: whitesee.exe, 00000001.00000002.277579718.0000000000971000.00000004.00000020.sdmpString found in binary or memory: "%APPDATA%\Exodus\Qt9
            Source: whitesee.exe, 00000001.00000002.277579718.0000000000971000.00000004.00000020.sdmpString found in binary or memory: \Ethereumat
            Source: whitesee.exe, 00000001.00000002.277611176.00000000009A6000.00000004.00000020.sdmpString found in binary or memory: techvita.biz443AppData\Roaming\Ethereum\keystore\\s\\t.dat
            Source: whitesee.exe, 00000001.00000002.277611176.00000000009A6000.00000004.00000020.sdmpString found in binary or memory: >%appdata%\Electrum-LTC\wallets\lectrum\wallets\er Data\\\Web DataData\Web Dataab DataCookies\\*.cookiextie
            Tries to harvest and steal Bitcoin Wallet informationShow sources
            Source: C:\Users\user\Desktop\whitesee.exeKey opened: HKEY_CURRENT_USER\Software\monero-project\monero-coreJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
            Source: C:\Users\user\Desktop\whitesee.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\Jump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Users\user\Desktop\whitesee.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Users\user\Desktop\whitesee.exeFile opened: C:\Users\user\AppData\Roaming\filezilla\recentservers.xmlJump to behavior
            Tries to steal Crypto Currency WalletsShow sources
            Source: C:\Users\user\Desktop\whitesee.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeFile opened: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\Jump to behavior
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Users\user\Desktop\whitesee.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
            Source: C:\Users\user\Desktop\whitesee.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Users\user\Desktop\whitesee.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
            Source: Yara matchFile source: 00000001.00000003.277087020.000000001F1D8000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.273555829.000000001EEA0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: whitesee.exe PID: 2396, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected LokibotShow sources
            Source: Yara matchFile source: Process Memory Space: whitesee.exe PID: 2396, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection11Virtualization/Sandbox Evasion22OS Credential Dumping2Security Software Discovery421Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection11Credentials in Registry2Process Discovery1Remote Desktop ProtocolData from Local System4Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Credentials In Files1Virtualization/Sandbox Evasion22SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsSystem Information Discovery33SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process